Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Apr 2014 14:28:57 -0700
From:      "Ronald F. Guilmette" <rfg@tristatelogic.com>
To:        freebsd-security@freebsd.org
Subject:   Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Message-ID:  <8783.1398202137@server1.tristatelogic.com>
In-Reply-To: <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help

In message <DC2F9726-881B-4D42-879F-61377CA0210D@mac.com>, 
Charles Swiger <cswiger@mac.com> wrote:

>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote
>:
>> In the aftermath of this whole OpenSSL brouhaha... which none other than
>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10,
>> in terms of awfulness... I do wonder if anyone has taken the time or effort
>> to run the OpenSSL sources through any kind of analyzer to try to obtain
>> some of the standard sorts of software science metrics on it.
>
>Sure.  Running clang's static analyzer against openssl-1.0.1g yields:
>
>Bug Type	Quantity
>All Bugs	182	
>
>Dead store
>	Dead assignment		121
>	Dead increment		12
>	Dead initialization	2
>
>Logic error
>	Assigned value is garbage or undefined		3
>	Branch condition evaluates to a garbage value	1
>	Dereference of null pointer			27
>	Division by zero				1
>	Result of operation is garbage or undefined	9
>	Uninitialized argument value			2
>	Unix API					4

Thank you for doing this.

Perhaps it goes without aying, but I'll say it anyway.  The above results
are at once both enlightening and disgusting.

Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL.  I hope
that they take the time to do what you have done *and* also to drive every
bleedin' last one of these numbers to zero.  I feel sure that the vast
majority of the issues uncovered by clang are not in any sense exploitable,
however its the one or two or three that are that worry me.


Regards,
rfg


P.S.  I was reading last night about VP8.   In that case, apparently,
the formal specification for that protocol *is* the code.  (See RFC
6386, Section 1.)

If you have time, Charles, perhaps you could run this same analysis on
that code too, and report numbers for that as well.

I am *not* looking forward to the day when I'll be rooted because I was
watching funny kitten videos on YouTube.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8783.1398202137>